Notes on the hidden subgroup problem on some semi-direct product groups 
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We consider the hidden subgroup problem on the semi-direct product of cychc groups Zjv xi Zp 
with some restriction on A'^ and p. By using the homomorphic properties, we present a class of semi- 
direct product groups in which the structures of subgroups can be easily classified. Furthermore, 
we show that there exists an efficient quantum algorithm for the hidden subgroup problem on the 

class. 
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I. INTRODUCTION 

Most of exponentially fast quantum algorithms, such 
as the Simon algorithm Ij and the period-finding algo- 
rithm U, can be regarded as one for a special problem 
called the hidden subgroup problem (HSP). The HSP is 
to find a subgroup H oi a given group G with an oracle 
function / defined on G such that /(a) = f{b) if and only 
if aH = bH for all a, b in G. It is well known that if the 
group G is abelian then the HSP on G can be efficiently 
solved by a quantum algorithm of running time polyno- 
mial in log \G\, while no solution is known for the general 
case of nonabelian groups. In particular, since the graph 
isomorphism problem and certain lattice problem can be 
reduced to the HSP on the symmetric group and the HSP 
on the dihedral group, respectively |^, |j| , it was natu- 
rally asked whether there exists an efficient quantum al- 
gorithm for the HSP on nonabelian groups, and has been 
actively studied |E II 1^, 1, III , li, Jl, 11, i4 15. 16, YJl . 

One way to construct a quantum algorithm for the 
HSP is first to explicitly investigate the structures of all 
subgroups of a given group, and then to find a quantum 
algorithm applicable to each subgroup structure. Re- 
cently, Inui and Le Gall d^ presented an efficient quan- 
tum algorithm for the HSP on the groups Zpr x Zp for odd 
prime p by classifying all the possible subgroups. Em- 
ploying such a method, we can also show that there exists 
an efficient quantum algorithm for the HSP on Z2p'- x Zp 
for odd prime p as in Appendix. 

Since multiplicative groups Z*,. and Zjp,- are cyclic, it 



can be verified that Zpr- x Zp and Z2p'- 



X Zp have the 



same form of subgroup structures, and hence we can ob- 
tain the same result for the HSP. However, if one exploits 
the above method to solve the HSP on general semi-direct 
product groups, then it is hard to find a quantum algo- 
rithm for the HSP on the groups since it is difficult, even 
mathematically, to classify the subgroup structures. 
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In this work, we consider the HSP on the semi-direct 
products of cyclic groups Z^v x Zp, where N is factorized 
as A^ = Pi^P? • • • Pn^ , and a prime p does not divide each 
Pj — 1. By using the homomorphic properties, we show 
that there exists an efficient quantum algorithm for the 
HSP on the groups. 

This paper is organized as follows. In Sec^Jwe briefly 
introduce the semi-direct product groups, and explain 
some homomorphic properties of the semi-direct product 
groups. In Sec, mil we show that there exists an efficient 
quantum algorithm for the HSP on the groups. Finally, 
in SeclIVIwe summarize our result. 



II. SEMI-DIRECT PRODUCT GROUPS 

For any positive integer N and p, and any group ho- 
momorphism (f> from the group Zp into the group of 
automorphisms of Z^v, the semi-direct product group 
Zjv X0 Zp is the set {(a, 6) : a G ljN,b S Zp} with the 
group operation (ai,6i) (02, 62) = (ai+</'(&i)(a2), &i+62)- 

We note that the group "Ln x </. Zp is obviously gener- 
ated by the two elements x — (1, 0) and y — (0, 1), and 
that <j) is completely determined by the function value 
(/'(1)(1), since </) : Zp ^ Aut(Z7v) is a homomorphism 
and 0(a) is an automorphism for every a S Zp. Using 
the fact that (j){b){a) = a0(l)(l)'', we obtain the relation 



yV = a;''-^(i)(i) y^ 



(1) 



Due to the facts that 0(1) (1) is relatively prime to N 
and that 0(1) (1)^ = 1 (mod N), Zjv x^Zp is completely 
determined by 0(1)(1). For example, the case 0(1)(1) = 
1 leads to the direct product Z^r x Zp, and if 0(1) (1) ^ 1 
and p is prime then p is the smallest positive integer 
satisfying 



0(1)(1)P = 1 (modiV), 



(2) 



that is, 0(1) (1) is one of elements of Z^ with order p, and 

p is a divisor of ip{N), where ip is the Euler phi- function. 

We now consider the semi-direct product group 

Zqspr x^ Zp, where p and q are distinct primes, and s 



and r are positive integers. Since Zgspr x^ Zp is isomor- 
phic to (Zqs X Zpr) X0 Zp, for each a S Zp, (?!)(a) can 
be regarded as an automorphism on Z^s x Zpr such that 
(/)(1)(1) is an element in Z*s x Z*r of order p. Then we 
can obtain the following lemma: 

Lemma 1. For each a G Zp, a G Z^a and b G Zpr, 
</)(a)(a, 0) = (a', 0) and 0(q:)(O, b) = (0, 6') /or some a' G 
Zgs and b' G Zpr . 

Proof. Suppose (/)(a)(l,0) = (c, d) for some c G Zgs 
and d G Zpr. Then since 4>{a) is an homomorphism, 
0(a)(O,O) = (0,0) and 



0(a)(O,O) 



= 0(a)(q^O) 
= <Z^0(a)(l,O) 



(3) 



Since gcd{p,q) = 1 and q^d — (mod p*"), d = 
(mod p*") and 4>{a){l,0) = (c, 0). It follows that for 
any a G Z^s 0(Q:)(a,O) = (a',0) for some a' G Z^s. 
Similarly, we can also obtain that for any b G Zpr, 
</>(«) (0, 5) = (0, b') for some b' G Zpr. D 

Lemma 2. Let p and q be distinct primes satisfying 
p \ q — 1 . Then 

(Zqs X Zpr) X0 Zp = Zg. X (Zpr X^ Zp) (4) 

for some homomorphism ip from TL^ to Aut(Zpr). 

Proof. Since (p{p) — 0(0) is the identity map T on Z^s x 
Zpr , by Lemma ^ we can see 



III. QUANTUM ALGORITHM 

In this section, we present an efficient quantum al- 
gorithm that can solve the HSP over the semi-direct 
product of cyclic groups Z^v x^ Zp, which is not a di- 
rect product of Zjv and Zp, where A^ is factorized as 
N = p^iP^2 ' ' 'Pn"i ^'^^ ^ prime p does not divide each 

Pi - 1- 

Since the pj 's are all distinct primes and p is a divisor 

of(p(7V)=pI^-V?"'---K"-Hpi-i)(p2-i)---(p„-i), 

p = Pk and Tfe > 2 for some fc G {1, 2, . . . , n}. Thus, N is 
a multiple of p^. 

Due to the factorization of N, "L^ is isomorphic to the 
direct product of cyclic groups Z^ri x Zprj x • • • x Zpr„ , 
and we have 

ZaT X0 Zp = (Zpri X Zpr2 X • • • X Zpr„ ) X^ Zp . (7) 

By Lcmma^ for each a G Zp, the automorphism 4'{a) on 



of Z 



X Zprn acts trivially on each component 
, such that p differs pj . Let Xi be the identity on 



Z„ri X • • • X Z r 



X Z„ 



-1 and X2 be the identity on Z ^k+i x 
1 Pfc+i 



Then, by Lemma |21 we obtain 



ZaT X^Zp = Zpri X • • • X Zpr 



XZp;>. X (Zprfe X^Zp), 

(8) 



where Z„ri x 
f 1 



P2 



2 X 



X Z, 



X Z 



p,/' 



is the direct 



(1,0) =X(1,0) = 0(p)(l,O) = </)(l)''(l,0) = (aP,0), (5) each a G Zp. Moreover, since Zpri x Zpr2 x 



product of Z rj 's except Z r^. and i/) is a homomorphism 
from Zp to Aut(Z rfe ) such that 4){a) = Zi x ^/'(q;) XI2 for 

X Z„rfc X 



where (a,0) = 0(1)(1,O) and a^ = 1 (mod q'*). Since the 
order of Z*^ is q*~"'^(q— 1) and p-f 5— 1, we obtain that a 
must be 1, that is, (j) trivially acts on Zgs. Thus, for each 
a G Zp, (j){a) = Xq X ip{a), where Xq is the identity map 
on Zgs and "0 is a homomorphism from Zp to Aut(Zpr). 
Therefore, the operation of the semi-direct product 
group is as follows: 

((a,5),c)((a',6'),c') = ((a, 6) + 0(c)(a', 6'), c + c') 
= (a + a',6 + ?A(c)(6'),c + c'), 



X Zprn is a cyclic group of order N/p]!' , 

ZaT X0 Zp = '^N/p'-k X (Zprfc X^ Zp) 



(9) 



by Eq. (jSJ. Hence, the HSP on Zat x^ Zp is essentially 
equivalent to the HSP on 2.^, -r^ x (Z r^ x^ Zp). 

Furthermore, since the order of TLj^i^k is relatively 
prime to the order of the group Zpr^ x^ Zp, by Lemma^ 



any subgroup H of Z „ 



x(Zp 



X, 



, Zp) is of the form 



and this implies that Eq. Q holds. 



(6) 
D 



Lemma 3. Let Gq and Gi be finite groups such that the 
order of Go is relatively prime to the order of Gi , and 
let H be a subgroup of Gq x Gi . Then H = Hq x Hi for 
some subgroups Hq of Gq and Hi of Gi . 

Proof. Let H he a. subgroup of Gq x Gi of order rs, where 
r and s divide the order of Go and the order of Gi, re- 
spectively. Then it is trivial that r and s are relatively 
prime to each other. Now, for each j = 0, 1, let ttj be 
the natural projection from Go x Gi onto Gj, and let 
^j ^ '^ji.H) C Gj. Then we can readily show that 
H = HoxHi. D 



Hi X H2, where Hi and H2 are subgroups of "Lj^, -r^^ 
and Zprfc x^ Zp, respectively. We note that the HSP 
on a cyclic group and the HSP on a group of the form 
Zprfc x^ Zp can be efficiently solved by quantum algo- 
rithms 0)ll3l- Therefore, we can obtain the following 
result: 



Theorem 1. There exists an efficient quantum algo- 
rithm for the HSP on Zat x^ Zp, where N is factorized 
as N — p\^p^2 ' ' ' P'n J '^^'^ ^ prime p does not divide each 
Pj - 1- 



IV. SUMMARY 

We have considered the hidden subgroup problem on 
the semi-direct product of cyclic groups Zat x Zp with 



some restriction on N and p. By using the homomorphic 
properties, we have presented a class of semi-direct prod- 
uct groups in which the structures of subgroups can be 
easily classified. Furthermore, we have shown that there 
exists an efficient quantum algorithm for the HSP on the 
class. 
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APPENDIX 

In 13] , Inui and Le Gall showed that there exists an ef- 
ficient quantum algorithm solving the HSP on the group 
Zpr X Zp. In this appendix, we show that Inui-Le Gall's 
method can be clearly applied to the case that the group 
is Z2p'- X Zp, where p is an odd prime. 

We first note that the multiplicative group Z2„r is 
cyclic and its order is p'^^^{p — 1), and that Z2p^ Xi4,'^p 
is completely determined by the elements of order p in 

Proposition 1. Let p be an odd prime. Then a € '^2p^ 
and \a\ = p if and only if 



a = (2p'-i + 1)* = 2^p'■ 



1 (mod 2p'"), (A.l) 



forie{l,2,...,p-l}. 

Proof It is clear that (2p'-i + 1)*p = 1 (mod 2p'') and 
(2ip'-i -I- 1)'= = 2ikp'-^ + 1 7^ 1 (mod 2p'') for any k e 
{1, 2, • • • ,p — 1} since p cannot divide ik. 

Furthermore, since Zjpr is a cyclic group of order 

P 



„r-l(p_l) 



A^{2ip'-^ + l:i = 0,l,2,--- ,p^l} 



(A.2) 



is a cyclic subgroup of 'Z2pr . Let m be the minimal posi- 
tive integer such that w™' G A where w is a generator of 
Z2pr. Suppose there exists w^ £ T^p^ such that |u;''| = p. 
Then since b = sm + r for some s, r G Z with < r < ttt,, 
{w'^y = {w'')P = 1 (mod 2p'^). Hence, by the minimality 
of m, we have r = 0. Therefore, w^ € A, that is, every 
element of order p in Z2pr is in A. D 



Structure of the semi-direct product group 



Proposition n implies that 0(1) (1) S A if and only if 
Z2p'- xi0 Zp is well-defined. It follows that there are p— I 
semi-direct product groups of the form Z2p'- yi,f,Zp other 
than Z2pi- X Zp. 



Proposition 2. For each i = 0, 1, 2, . . . ,p — 1, let (j)i 
be a homomorphism from "Lp to Aut(Z2pr) defined as 
(j)i{l){l) = {2p''-^ + ly. Then all Z2p.- x^, Zp s are iso- 
morphic to each other. 

Proof. For each i = 1, 2, . . . ,p — 1, let ^^ be a map from 
^2p- x,/,iZp to Z2p. x^,Zp defined as -^^ix^y^) = x''y''''\ 
where i~^ is the inverse of i in Z* Then it can be easily 
checked that ^^ is a group isomorphism. D 

By Proposition[21 it suffices to consider Z2p>- x^Zp with 
0(1) (1) — 2p^~^ + 1. Now, we formalize the group pre- 
sentation and the properties of the semi-direct product 
group Z2p'- xi(/,Zp, and we then classify all of its subgroups 
in terms of the group presentation. 

The group presentation of Z2p'- x ^ Zp is 

/x, y I x^P" = yP = e, yx ^ x'^'^^'^^^^y = x^P^^'+^y) . 

(A.3) 
Then we can have 

Proposition 3. 






(A.4) 



and 



2p^+^ 
I 77 — ;; — 77 if p^\a and b ^ 0, 



\x y 



2p'' 



otherwise. 



gcd(a, 2p'-) ' 
for any < a < 2p^ — 1 and <b < p — 1. 

Proof. It follows from straightforward calculations that 
the first three properties are true, and for the last one, 
we divide it into several cases. 

Case 1. p'^\a and 6^0. If p'"|a, then a = or a = p^ . 
(a) If a == 0, then x'^y'' = y''. Since b^O, 



kVHIy'Hp 



2p 



r+l 



gcd(a, 2p'-) 



(A.6) 



(b) If a == p'', then x'^y'' = xP^y^. Let \xP^ y^\ = d. Then, 
by ljA.4|) . we have 



{xP^'yY = a;P'^^(('i-i)''P''"+i)y'^'' = e. (A.7) 

Since b ^ 0, d — kp for some fc G Z, and hence 

{xP''y^f = {xP''^')'' = e (A.8) 

which implies 2\k. Thus, 2p\d and {xP y'')^P = e, and 
hence 



2p 



2p 



r+l 



gcd(a, 2p^) 



(A.9) 



Case 2. p"" ] a or b = 0. 

(a) If 6 = then it is clear that 



I a b\ 

\x y 



2p'' 



(A.IO) 



gcd(a, 2p'-) ■ 
(b) If 5 7^ then p" \ a. Let \x°'y''\ = d. Then since 

we have p\d and so [x'^'-y^Y ~ ^"''^ = (x")'* = e. Thus, we 
have 



2p'- 



?cd(a, 2p-) 



(A.12) 



Since p'' f a, the left-hand side of ljA.12|l is a multiple of 
p, and hence 



(rj.aybylp'' /sc'i{a.2p'') _ ^a2p'7gcd(a,2p'') _ ^ 

Therefore, by the minimality of d, we obtain 

2p'' 



d = 



gcd(a, 2p') ■ 



(A.13) 



(A.14) 



D 



Furthermore, for cyclic subgroups generated by the el- 
ement x°'y^ , we can have the following property. 

Proposition 4. Let < a < 2p'^ — 1 and < 6 < p — 1. 

If p^\a and 6^0 then 



{x'^y'') = \ x'^'y'" : < ^ 



< 



2p 



x+l 



?cd(a, 2p-) 



1 



(A.15) 



Otherwise, 



{x^y^) = \ x'^'y'" ■.Q<i< — 



2p'^ 



gcd(a, 2p'') 
Proof. Let i be an arbitrary integer. Then, by HA.4|I 



(A.16) 



Thus 



= {{x''y'')Py^'-^'>''P'''\''''y'' 



and hence 



{x'^'y'" : z e Z} C (a;-^,/^) 



(A.17) 



(A.18) 



(A.19) 



Furthermore, x'"y^^ ^ x°'^y^^, for any i,j with 1 < i < 
j < gj^^^2p'-) ~ 1 if pI" ^i^'i ^ 7^ 0, and with 1 < i < 
- 1 otherwise. Hence, we obtain (|A.15|) and 

D 



7 < 



2p'- 



•^ — gcd(a,2p^) 

(IXT6t . 



Now, we are ready to classify all possible subgroups 
of Z2pr 'Afjj'Lp in terms of group presentation. Let H' = 

H f] (x). Then H' = (x^ p \ for some integers t and s 
with < t < 1 and < s < r. 

We assume that H ^ (x^Pj. Then it is clear that 
x'^oybo g jj fQj. some integers gq and bo with < oq < 
2p'' — 1 and 1 < 6o < P — 1- By Proposition^ x'^°''o y e 
(^x'^°y''°) C H, where b^^ is the multiplicative inverse of 
bo in Z*. Furthermore, since {x'">''o'y)P = x'^o&o^'p e H, 

2*p*~^|ao6Q ^. Thus, we have x'^^ p° y d H where h is 
an integer such that /i2*p*~^ = aofep ^ (mod 2*p'') and 

0<h<p-l. Hence we obtain /x^'p' , x'''^'p'''y\ C i7. 

Let x^y** e i/ with < a < 2p'' - 1 and < 6 < 

p — 1. Then since x' 



h2^p'-% b 



y e [x 



M'p' 



J/ ) by Propo- 



/i2'p="ifc„fc^-l ^ -6^-/i2'p= ifc jg 



sition ^ its inverse {x'^'^^p' ''y'') 

also in (x^^'p''\\ C H. Thus, (a;"2/^)(y-''a;-''2V-'fc) ^^ 

^a-h2 p 6 jg contained in H, and so it is in H'. Hence 
we obtain 2V|a-/i2V"^^, that is, a = 2^p''m+h2'^p''-^b 
for some integer m. Thus, 



X-y^ = (x^'P'Y (x'^^'P'-'S^) e (x^'P\x'^^'P''\) , 

(A.20) 
that is, H= /a;2*P\a;''2V-^y\ 

Therefore we obtain the following proposition. 

Proposition 5. For any subgroup H G 'Z2pr xi^Zp, iJ is 
one of (x^ P ) , or (x^ P , a;''^ p y) for some integers 
t, s, and h with Q<t<l,Q<s<r, and < h < p— 1. 

Proposition 6. Let t, s, and h be integers with < i < 
1; < s < ?■; O'lT'd < ft. < p — 1. Then 



^(bhvaodp)2*p'-\^b\ ^ / ^2^p' ^h2^p'-^ 

J 0<6<p-l 



Proof. For any 6 = 0, • • • , p — 1, and /i = 0, • • • , p — 1, 

(A.21) 



^fc/i2'p=-i 6 ^ x^'^'P'x^'''^ modp)2'p=-i fc 



where I is an integer such that bh — Ip + [bh modp). 
Since a;'2'p° e /a;2*P°\ and x^^'^'p'"' y"" e /x''^'p'"'y\ by 
Proposition 01 

^(6h mod p)2*p-i^6 ^ (x'2*P^)-lx''''2V-^yfc (A.22) 



IS m (x'^ P\ x^"^ P' y 



U 



2. Quantum algorithm 

Here, we present a quantum algorithm solving the HSP 
over Z2p'- X0 Zp, which is the same as that in 13]. The 



hidden subgroup of Tjipr x ^ Zp with respect to the oracle 
function / is denoted by H. Then the procedure is as 
follows. First, employing the abelian HSP algorithm on 

a cyclic group (x), we find H' = H f] {x) = [x^ p 

' x^'v" ) or H ^ 



and then we determine whether H 



^2*p=^^h2*p= 'y\ and find h if H = U^'p^a 

by means of the following quantum algorithm 
1. Prepare the state 



,/l2*r 



y 



By Proposition|Bl for each integer 6 with < 6 < p— 1, 
the element x^'''^' ™°^ p-'^ p y^ is in the hidden subgroup 
H, and thus all the elements x^^'^'p'^^' x^^^ '^°'^p^'^'p'~\^ 
are mapped to the same value, that is. 



/(^° 



yb) ^ f(x-o2 p'- )^ (A.27) 



for any < ao,b < p — 1. Thus, discarding the third 
register after the second step, the resulting state becomes 



p-ip-i 



-2.Z.I«)l^)/( 



p 



a=0 fc=0 



a2*p' 



y 



(A.23) 



2. Measure the third register. 

3. Apply Tp (g) Tp to the first two registers, where Tp is 
the quantum Fourier transform over Zj,, that is, l = \/— 1 
and 

1 ^~' 
J'pll)^ ^e2'^''^''/P|A:) foraU 0<l<p-l. (A.24) 

4. Measure the first and the second register: we get two 
values c and d. If c = 0, then we regard the procedure 
as failed. Otherwise, compute h = —cP^^d (mod p) and 
output h. 

We repeat this procedure k — 0(1) times, where 
the details are in the next section. If we obtain the 
same h at every repetition, we conclude that H — 

y) with h — h. If we obtain at least two 



,2*p= 



„h2^ 



different values for h during the k repetitions, we con- 
clude that H = H'. Furthermore, we can readily show 
that the total time complexity is 0{{rlogp)^). 



3. Analysis of the algorithm 

In this section, we show that we can find H with suf- 
ficiently high probability by the above algorithm. 



a. The case when H = ( x^ ''" , x'^'^ ^" y 



For the initial state 



p-ip-i 



-2.Z.I«)l^)/( 



p 



a=Q fc=0 



a2'p=~\h 



y')). 



(A.25) 



take ao = a — bh mod p G Zp. Then the state in ljA.25|) 
can be rewritten by use of the summation on aq instead 
of the summation on a as follows. 

9—1 p— 1 



- 2. / }ao + bh mod p)\b) 



ao=0 b=0 



/(^" 



yl)- (A.26) 



1 ^" 
\ij) ^ ^Y\ao + bh mod p)\b), (A.28) 

where Oq is randomly determined by the measurement. 

By applying the quantum Fourier transform to \ijj), the 
state becomes 

p-i p-i 

^p^^plV') ^ ^J2 e^'"-'""'/Pj2^^'"'''^''''^'^^^'''\c)\d) 



b=0 



pVpJ^o 



^ p\ch+d 



(A.29) 



Since, after the fourth step, the measured values c and 
d satisfy p\ch + d, if c ^ then we obtain h by comput- 
ing —cP~'^d mod p. Hence, with probability 1 — 1/p, we 
obtain the value of h. 



/ 2 rt' 

b. The case when H = ( x '^ 



In this case, we note that if x°'y^H ~ x°'y^ H then 



b = fe', and that if x^^'p' \^H 



X" 



since X 



"2V" yfc(a;a2V- yfc) 



y 
b\~l 



X' 



,a'2*p= 



(a-a')2'p° 



y H then 

x^" " '"■ ''' e H, 

we have p \ a — a', which implies a = a' . Thus, 
the oracle function / is an injective map on the set 
(^a2^p'-^yb : <a,6<p- l|. 

After measuring and discarding the third register, the 
state is |-0') = |ao)|5o), where ag and bo are deter- 
mined by the measurement outcome of the third register 

/(a;°o2V-'yfco)\ 

By applying quantum Fourier transform, we can have 



Tp(E)Tp\^') 



1 '^ 



P 



cM=0 



g27rt(aoc+bod)/p|^^|^^^ (A.30) 



which is a uniform superposition of the values c and d in 
Zp. 

If the measurement outcome of the first register is zero, 
that is, c = 0, then we disregard the result. If c is not 
zero, then {h = —cP^^d mod p} forms a uniform distribu- 
tion over Zp. Therefore, with high probability, we obtain 
at least two different values ft.'s. 



c. Success probability 

We now consider the success probability when repeat- 
ing the procedure in the previous section k times, after 
obtaining t and s by the abehan HSP algorithm. 



Ifff 



,2^" T,h2*p' 



y), then, with probability l/p'', 



it fails to output the correct h. 

li H = Ix^P V then the probability that c = in 
the fourth step for every repetition is 1/p^ ■ In addition. 



although all values of c's are not zero, the probability of 
incorrect output, that is, the probability of deciding that 

i/ is iJ = (a;2'p', x^'^'p'''\\ for a value < ft. < p - 1, 
is (2*"' — l)/p^^^ , which can be easily shown. 



Therefore, the total success probability is at least 1 — 
{2^p — p+ l)/p^ , and hence taking some proper constant 
k, we can obtain the correct h with high probability by 
k repetitions. 
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